1. 28 Jul, 2023 32 commits
  2. 27 Jul, 2023 8 commits
    • Patrick Rohr's avatar
      net: remove comment in ndisc_router_discovery · ef27ba5c
      Patrick Rohr authored
      Removes superfluous (and misplaced) comment from ndisc_router_discovery.
      Signed-off-by: default avatarPatrick Rohr <prohr@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20230726184742.342825-1-prohr@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ef27ba5c
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 014acf26
      Jakub Kicinski authored
      Cross-merge networking fixes after downstream PR.
      
      No conflicts or adjacent changes.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      014acf26
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 57012c57
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from can, netfilter.
      
        Current release - regressions:
      
         - core: fix splice_to_socket() for O_NONBLOCK socket
      
         - af_unix: fix fortify_panic() in unix_bind_bsd().
      
         - can: raw: fix lockdep issue in raw_release()
      
        Previous releases - regressions:
      
         - tcp: reduce chance of collisions in inet6_hashfn().
      
         - netfilter: skip immediate deactivate in _PREPARE_ERROR
      
         - tipc: stop tipc crypto on failure in tipc_node_create
      
         - eth: igc: fix kernel panic during ndo_tx_timeout callback
      
         - eth: iavf: fix potential deadlock on allocation failure
      
        Previous releases - always broken:
      
         - ipv6: fix bug where deleting a mngtmpaddr can create a new
           temporary address
      
         - eth: ice: fix memory management in ice_ethtool_fdir.c
      
         - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue
      
         - eth: vxlan: calculate correct header length for GPE
      
         - eth: stmmac: apply redundant write work around on 4.xx too"
      
      * tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
        tipc: stop tipc crypto on failure in tipc_node_create
        af_unix: Terminate sun_path when bind()ing pathname socket.
        tipc: check return value of pskb_trim()
        benet: fix return value check in be_lancer_xmit_workarounds()
        virtio-net: fix race between set queues and probe
        net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
        splice, net: Fix splice_to_socket() for O_NONBLOCK socket
        net: fec: tx processing does not call XDP APIs if budget is 0
        mptcp: more accurate NL event generation
        selftests: mptcp: join: only check for ip6tables if needed
        tools: ynl-gen: fix parse multi-attr enum attribute
        tools: ynl-gen: fix enum index in _decode_enum(..)
        netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
        netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
        netfilter: nft_set_rbtree: fix overlap expiration walk
        igc: Fix Kernel Panic during ndo_tx_timeout callback
        net: dsa: qca8k: fix mdb add/del case with 0 VID
        net: dsa: qca8k: fix broken search_and_del
        net: dsa: qca8k: fix search_and_insert wrong handling of new rule
        net: dsa: qca8k: enable use_single_write for qca8xxx
        ...
      57012c57
    • Linus Torvalds's avatar
      Merge tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire · bc168790
      Linus Torvalds authored
      Pull soundwire fixes from Vinod Koul:
      
       - Core fix for enumeration completion
      
       - Qualcomm driver fix to update status
      
       - AMD driver fix for probe error check
      
      * tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
        soundwire: amd: Fix a check for errors in probe()
        soundwire: qcom: update status correctly with mask
        soundwire: fix enumeration completion
      bc168790
    • Linus Torvalds's avatar
      Merge tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy · 53c8621b
      Linus Torvalds authored
      Pull phy fixes from Vinod Koul:
      
       - Out of bound fix for hisilicon phy
      
       - Qualcomm synopsis femto phy for keeping clock enabled during suspend
         and enabling ref clocks
      
       - Mediatek driver fixes for upper limit test and error code
      
      * tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
        phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
        phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
        phy: qcom-snps-femto-v2: properly enable ref clock
        phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend
        phy: mediatek: hdmi: mt8195: fix prediv bad upper limit test
        phy: phy-mtk-dp: Fix an error code in probe()
      53c8621b
    • Linus Torvalds's avatar
      Merge tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 64de76ce
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix accounting of global block reserve size when block group tree is
         enabled
      
       - the async discard has been enabled in 6.2 unconditionally, but for
         zoned mode it does not make that much sense to do it asynchronously
         as the zones are reset as needed
      
       - error handling and proper error value propagation fixes
      
      * tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: check for commit error at btrfs_attach_transaction_barrier()
        btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
        btrfs: remove BUG_ON()'s in add_new_free_space()
        btrfs: account block group tree when calculating global reserve size
        btrfs: zoned: do not enable async discard
      64de76ce
    • Linus Torvalds's avatar
      Merge tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock · 379e6671
      Linus Torvalds authored
      Pull memblock fix from Mike Rapoport:
       "A call to memblock_free() or memblock_phys_free() issued after
        memblock data is discarded will result in use after free in
        memblock_isolate_range().
      
        Avoid those issues by making sure that memblock_discard points
        memblock.reserved.regions back at the static buffer"
      
      * tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
        mm,memblock: reset memblock.reserved to system init state to prevent UAF
      379e6671
    • Jann Horn's avatar
      mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock · 657b5146
      Jann Horn authored
      lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't
      be called in the VMA-locked page fault path by ensuring that
      vma->anon_vma is set.
      
      However, this check happens before the VMA is locked, which means a
      concurrent move_vma() can concurrently call unlink_anon_vmas(), which
      disassociates the VMA's anon_vma.
      
      This means we can get UAF in the following scenario:
      
        THREAD 1                   THREAD 2
        ========                   ========
        <page fault>
          lock_vma_under_rcu()
            rcu_read_lock()
            mas_walk()
            check vma->anon_vma
      
                                   mremap() syscall
                                     move_vma()
                                      vma_start_write()
                                       unlink_anon_vmas()
                                   <syscall end>
      
          handle_mm_fault()
            __handle_mm_fault()
              handle_pte_fault()
                do_pte_missing()
                  do_anonymous_page()
                    anon_vma_prepare()
                      __anon_vma_prepare()
                        find_mergeable_anon_vma()
                          mas_walk() [looks up VMA X]
      
                                   munmap() syscall (deletes VMA X)
      
                          reusable_anon_vma() [called on freed VMA X]
      
      This is a security bug if you can hit it, although an attacker would
      have to win two races at once where the first race window is only a few
      instructions wide.
      
      This patch is based on some previous discussion with Linus Torvalds on
      the security list.
      
      Cc: stable@vger.kernel.org
      Fixes: 5e31275c ("mm: add per-VMA lock and helper functions to control it")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      657b5146